Ransomware attacks – should Australian businesses pay up?

Ransomware has become one of Australia’s fastest-growing cyber threats in recent years, driven by new and innovative tactics that cybercriminals use to amplify the financial and disruptive impacts such attacks have on businesses across the country, the latest report from the Australian Cyber Security Centre (ACSC) has revealed.

In its annual cyber threat report, the agency disclosed that it has received almost 500 ransomware cybercrime reports during the 2020-21 financial year, a 15% jump from the previous period. During the period, the department also responded to about 160 cybersecurity incidents related to ransomware.

Organisations in the professional, scientific, and technical services sector were the most targeted group, followed by those in healthcare and social assistance, manufacturing, education and training, and government. These five sectors accounted for almost half of ransomware-related incidents reported to the ACSC in the last financial year.

Read more: Rate of ransomware attacks in Australia exceeds global average

The agency attributed the spike to cyber criminals’ adoption of business principles.

“New business models make ransomware available to a broader range of offenders, akin to a criminal franchising arrangement,” the department wrote. “During the 2020–21 financial year, the ACSC observed an increase in professional syndicates operating ransomware-as-a-service (RaaS), which enables affiliates to use predeveloped ransomware tools to execute ransomware attacks in return for providing a percentage of the profits to the syndicate. This development has contributed to an increase in ransomware globally and enabled the targeting of a wider range of victims.”

The ACSC also saw a rise in ransomware attacks targeting “vulnerable and critical elements of society,” with payment demands ranging from thousands to millions of dollars, as access to dark web tools and services improved cybercriminals’ capabilities.

“Extortion tradecraft evolved, with criminals combining the encryption of victim networks with threats to release or on-sell stolen sensitive data and damage the victim’s reputation,” the agency added.

What happens during a ransomware attack?

The ACSC defines ransomware as a “type of malware that cybercriminals use against a victim to prevent access to files or systems that are of value to the organisation until a ransom is paid.” It can cause severe reputational damage to a business and can be costly to mitigate.

The agency also detailed the five stages of how cyber actors conduct ransomware attacks against devices and systems. These are:

1. Cyber actors compromise and encrypt sensitive files on IT systems, threatening to release, block access to, or delete the files unless a payment is made.
2. Precursor malware is deployed through phishing emails, remote access, or by exploiting vulnerabilities in applications or software. The malware is then used to deploy ransomware.
3. Once the cyber actor has access to the victim’s systems, files may be exfiltrated and encrypted.
4. A ransom demand is made, indicating the amount to be paid – almost always in the form of untraceable cryptocurrency such as Bitcoin – and the deadline. The actor may use other tactics in an attempt to further extort victims who do not pay.
5. If a victim pays the ransom, the cyber actor may provide a decryption key to allow the victim to unlock the files. The actor may separately demand a ransom to prevent the release of stolen data.

Read more: Ten ways to protect your business from cyber attacks

In a separate white paper, the ACSC laid down the different “innovations in ransomware” that cybercriminals have adopted in recent years to “incentivise victims” to make payments. These tactics include:

• Undertaking extensive reconnaissance on a target to understand its size, scope, and vulnerabilities and subsequently tailoring their approach to a victim’s perceived ability to pay or potential impact. Some cyber actors claim to review a company’s net income to establish an appropriate ransom amount.
• Increasing the ransom price after a specific period to persuade the victim to make payment early, pressure the organisation to resolve the incident quickly, and reduce the window for
• intervention.
• Offering to decrypt a portion of the encrypted network for a reduced price to encourage the victim to pay at least part of the ransom. This may also reveal the parts of the victim’s network that are particularly valuable and the information they can on-sell to other cybercriminals or use in subsequent ransomware incidents.
• Targeting sectors that are vulnerable and likely to be under pressure to pay to maintain business-as-usual operations for essential or critical services.
• Combining encryption with exfiltration of data, threatening to publicly release information if the ransom is not paid, and publicly releasing stolen information when a ransom is refused.
• Publicly advertising successful compromises prior to the ransom due date, including notifying the victim’s customers and partners, which is designed to place added pressure on the victim.

Is it legal for Australian businesses to make ransomware payments?

While there is currently no legislation in Australia directly prohibiting businesses from making ransomware payments, doing so could constitute an offence in certain circumstances.

Paying ransom can be considered giving money to criminals or knowingly funding criminal activities, including terrorism, which is in violation of the Criminal Code Act 1995 and the Anti-Money Laundering and Counter-Terrorism Financing Act 2006.

The ACSC also advised businesses to refrain from paying ransom demands as it does not guarantee that data would be unlocked and might increase the risk of the organisation being retargeted in the future.

Read more: The threat of 'triple extortion' in ransomware pandemic

How can Australian businesses mitigate the risks of a ransomware attack?

The ACSC listed several practical tips that businesses can implement to prevent a ransomware attack from happening or mitigate its effects. Some of these strategies include:

1. Conducting regular back-ups

The agency advised businesses to back-up files from computers, phones, and other devices regularly, and choose automatic back-ups where possible.

“Backups need to be kept separately from the network, on separate devices or using a cloud service,” ACSC noted. “Immediately disconnect external storage after backups are created to avoid backups also being encrypted. Ransomware can encrypt cloud back-ups if a user remains authenticated to the service, or auto-sync is enabled with local files.”

The department also recommended that businesses ensure that employees know how to restore files from back-ups and that they practice conducting restoration regularly.

2. Ensuring network and data are secure

Operating systems and security software should be updated automatically to fix security flaws, so it is important that users never disregard update prompts, according to ACSC.

“As with the regular back-ups, this should be done automatically where possible,” it added. “This includes ensuring internet-facing devices are configured properly, with security features enabled.”

3. Disabling macros in Microsoft Office where possible

The ACSC recommended disabling the use of Microsoft Office macros for users that do not require them and only allowing the use of digitally signed macros for all other users. The agency added that macros originating from files from the internet should be blocked and scanned using macro antivirus.

4. Having a plan ready

Businesses should have a plan in place to reduce the damage and impact of ransomware on their operations. This may include the development and exercising of business continuity and disaster recovery plans. Having a plan ready will enable organisations to recover quickly and help them safeguard against future incidents.

The ACSC also recommended the following measures:

• Removing administrative privileges for staff that do not require them
• Educating staff so they are less likely to access malicious hyperlinks and visit unknown websites, and can recognise slight changes in URLs
• Installing and regularly updating antivirus software
• Installing a firewall to stop traffic from untrustworthy sources from getting into the company’s network
• Enabling multi-factor authentication (MFA)

Read more: Aussie officials: Cyber insurance should not cover ransomware attacks

What should Australian businesses do if they fall victim to ransomware attacks?

A recent survey conducted by cybersecurity giant Crowdstrike has found that more than two-thirds of Australian businesses have fallen victim to a ransomware attack between 2019 and 2020. Of these, a third paid the ransom, which cost $1.25 million on average.

For businesses that will be hit by ransomware, the ACSC has this three-step advice:

1. Do not pay the ransom

According to the agency, there is no guarantee that cybercriminals will decrypt files once the ransom is paid, adding that there is a chance that files may not be even recoverable, especially when the attackers use wiper malware, which sometimes masquerades as ransomware and permanently modifies or deletes files. Further, the link provided to the victim directing them to information about payment and contacts may install further malware into their system or network.

2. Report the attack

The ACSC manages ReportCyber, an online portal where individuals, businesses, organisations, and Commonwealth entities can report cybercrime incidents. This can help prevent future attacks from happening.

3. Seek help from a cyber security provider

Recovery from ransomware incidents is costly, both from a reputational and financial standpoint. However, early engagement of a cyber security provider may result in more timely remediation compared to internal IT teams that may not be resourced appropriately to respond. It can also pave the way for a faster return to business-as-usual operations, allowing businesses to save money in the long run.